b'T\nop10ManagementChal\n                 lenges\n\x0cMajor Challenges for the Department\n\n\n\nThis section highlights OIG\xe2\x80\x99s Top 10 Management Challenges\nthat faced the Department at the close of this semiannual period.               Top 10 Management Challenges\nEach challenge meets one or more of the following criteria: (1) it is        \x18.\t Strengthen Department-wide information security.\nimportant to the Department\xe2\x80\x99s mission or the nation\xe2\x80\x99s well-being,            \x18.\t Effectively manage departmental and bureau acquisi\xc2\xad\n(2) it is complex, (3) it involves sizable resources or expenditures,            tion processes.\nor (4) it requires significant management improvements. Because\n                                                                             \x18.\t Strengthen internal controls over financial, program\xc2\xad\n\nof the diverse nature of Commerce activities, these criteria some\n                                                                                 matic, and business processes.\n\ntimes cut across bureau and program lines. Experience has shown\nthat by aggressively addressing these challenges, the Department             4.\t Ensure that uSpto uses its authorities and flexibilities\ncan enhance program efficiency and effectiveness; eliminate seri                 as a performance-based organization to achieve better\n                                                                                 results.\nous operational problems; decrease fraud, waste, and abuse; and\nachieve substantial savings.                                                 5.\t Control the cost and improve the accuracy of the de\xc2\xad\n\n                                                                                 cennial census.\n\n                                                                             6.\t Effectively manage the development and acquisition of\n                                                                                 environmental satellites.\nChallenge 1\n                                                                             7.\t promote fair competition in international trade.\nStrengthen Department-Wide                                                   8.\t Effectively manage noaa\xe2\x80\x99s ocean and living marine\n\n                                                                                 resources stewardship.\n\nInformation Security\n                                                                             9.\t aggressively monitor emergency preparedness, safety,\nSince enactment of the Federal Information Security Management                   and security responsibilities.\nAct (FISMA), government agencies have devoted significant re                \x180. Enhance export controls for dual-use commodities.\nsources to improving the security of information stored on their\ncomputer systems. The problem is long standing: GAO has iden\ntified information security as a government-wide high-risk issue\nevery year since 1997. At Commerce, it is the No. 1 challenge and       for completing improved C&A packages, which recognized that the\nhas been a material weakness since 2001.                                amount of time necessary to complete the C&A process correctly\n                                                                        had been continually underestimated. When revised schedules\nTo eliminate the material weakness, Commerce has emphasized             were finalized in June 2006, the Department\xe2\x80\x99s Office of the CIO\nimproving its certification and accreditation (C&A) process for         (OCIO) expected a total of 28 C&A packages to be completed by\nIT systems. In February 2005, the chief information officer (CIO)       the end of July, 27 of which were for high- or moderate- impact\nissued a plan to produce acceptable quality C&A packages for all        systems.1 OCIO reviewed completed packages and worked with\nnational-critical systems and some mission-critical systems by the      the bureaus to address concerns, as necessary. If OCIO determined\nend of FY 2005 and for all other systems by the end of FY 2006.         a package was of sufficient quality, it was forwarded to OIG for\nIn light of that plan, our approach to the C&A portion of our 2005      FISMA review. As of August 24, 2006, our agreed-upon cutoff\nFISMA evaluation was to review all improved packages available          date, the CIO\xe2\x80\x99s office had received packages for 22 high- and\nby August 31, 2005. Only five were ready\xe2\x80\x94three from NOAA                moderate-impact systems, 12 of which were forwarded to us.\nand two from Census. Those packages showed some noteworthy              We evaluated a total of 15 C&A packages for FY 2006 FISMA\nimprovements. However, with such a low number of packages               reporting. Eleven of these packages were Commerce-owned sys\navailable for review and considering the deficiencies we found, we      tems that had gone through the improvement process, and four\nconcluded that the Department\xe2\x80\x99s C&A process had not improved\nto the point where authorizing officials had sufficient details about\nremaining system vulnerabilities to make fully informed accredita\n                                                                        1\n                                                                          Commerce systems were previously categorized as national critical, mission\n                                                                        critical, or business essential. With the publication of NIST Federal Information\ntion decisions, and the IT security material weakness remained.         Processing Standard 199, Standards for Security Categorization of Federal Infor\n                                                                        mation and Information Systems, agencies must now categorize information and\nIn early FY 2006, the acting CIO worked with the operating units        information systems as low, moderate, or high impact, based on the potential con\nto reassess the schedule and give units more latitude on time frames    sequences to organizations and individuals should there be a breach of security.\n\n\n\n\nSeptember 2006/Semiannual Report to Congress\t                                                                                                        1\n\x0cMajor Challenges for the Department\n\n\n\n\n                                                                         Our review included two draft C&A packages for USPTO contrac\n                                                                         tor systems, which we found to be of poor quality. Therefore, we\n                                                                         also recommended that USPTO, which submits its performance\n                                                                         and accountability report separately, report IT security as a mate\n                                                                         rial weakness.\n\n                                                                         Protection of Sensitive\n                                                                         Agency Information\n\n                                                                         After a recent series of incidents throughout the federal government\n                                                                         involving the compromise or loss of sensitive personal information,\n                                                                         the Office of Management and Budget (OMB) issued Memoran\n                                                                         dum M-06-16 on June 23, 2006. The memorandum emphasized the\n                                                                         need to protect personally identifiable information that is remotely\n                                                                         accessed or physically removed from an agency location, required\n                                                                         agencies to ensure that appropriate safeguards were in place within\n                                                                         45 days, and asked inspectors general to conduct reviews.\n\n                                                                         OMB defines personally identifiable information as \xe2\x80\x9cany informa\n                                                                         tion about an individual maintained by an agency, including, but\n                                                                         not limited to, education, financial transactions, medical history,\n                                                                         and criminal or employment history and information which can be\n                                                                         used to distinguish or trace an individual\xe2\x80\x99s identity, such as their\n                                                                         name, social security number, date and place of birth, mother\xe2\x80\x99s\n                                                                         maiden name, biometric records, etc., including any other personal\n                                                                         information which is linked or linkable to an individual.\xe2\x80\x9d2\nSource: http://csrc.nist.gov/policies/Whatagencycandonow-oMB-memo.pdf\n                                                                         OMB\xe2\x80\x99s memorandum included a checklist prepared by NIST for\n                                                                         protection of remote information and recommended four additional\nwere high- and moderate impact contractor systems that had not.          actions: (1) encrypting all sensitive agency data on mobile com\n(FISMA requires OIGs to review contractor systems.)                      puters/devices, (2) allowing remote access only with two-factor\n                                                                         authentication,3 (3) using a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access\nWe found a larger percentage of C&A packages met the require             and mobile devices requiring user reauthentication after 30 minutes\nments of Commerce\xe2\x80\x99s IT security policy and applicable National           of inactivity, and (4) logging all computer-readable data extracts\nInstitute of Standards and Technology (NIST) standards and               from databases holding sensitive information and verifying such\nguidance (33 percent) as compared to last year (13 percent). But         extracts have been erased within 90 days if no longer needed.\nprogress has been slow. Overall, we found that security plans and\nrisk assessments have continued to improve. Security plans have          The President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) pre\nshown particular improvement in the identification of network            pared a review guide for inspectors general and was to provide a\ncomponents. To be consistent with NIST standards and guidance            government-wide report to OMB in October based on input from\nand better support selection and tailoring of security controls, risk    IG reviews of their agencies.4 To evaluate Commerce, we selected\nassessments now need to focus on specific threats and vulnerabili        a sample of 10 systems. This represents 16 percent of all systems\nties for a given system instead of considering all possible risks.       identified by Commerce bureaus as storing or processing person\n\nWe also found significant improvement in testing of the five sys\ntems we reported as certified and accredited, as well as in testing\n                                                                         2\n                                                                           OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifi\n                                                                         able Information and Incorporating the Cost for Security in Agency Information\nof a system granted interim authorization to operate. However, the       Technology Investments, July 14, 2006.\nremaining nine systems had serious deficiencies in the assessment        3\n                                                                           Two-factor authentication is achieved by authenticating two of the following three\nof security controls, particularly in the testing of operational and     factors: 1) \xe2\x80\x9csomething you know\xe2\x80\x9d (e.g. a password), 2) \xe2\x80\x9csomething you have\xe2\x80\x9d (i.e. \n\ntechnical controls needed to determine whether the security controls     in your possession at the time of the authentication), or 3) \xe2\x80\x9csomething you are\xe2\x80\x9d \n\nfor network components are in place and operating as intended. That      (e.g., a biometric such as your fingerprint)\n\n                                                                         4\n                                                                           The PCIE was established by Executive Order 12805, May 11, 1992, to address \n\nbeing the case, neither the certification agent nor the authorizing of   integrity, economy, and effectiveness issues that transcend individual government\nficial had adequate information on the remaining vulnerabilities, and    agencies, and increase the professionalism and effectiveness of IG personnel\nwe again found this to be a material weakness within Commerce.           throughout the government.\n\n\n\n\n2                                                                                     U.S. Department of Commerce/Office of Inspector General\n\x0c                                                                                                       Major Challenges for the Department\n\n\n\n\nally identifiable information and accessed remotely or physically      control assessments. The security control assessments did not\nremoved from an agency location. We reviewed the current sys           evaluate many of the system controls and were conducted without\ntem security plan and all test results verifying that the applicable   adequate test procedures. Consequently, NOAA\xe2\x80\x99s certification\ncontrols are in place for each of these systems.                       process did not provide sufficient information to authorizing of\n                                                                       ficials on remaining system vulnerabilities.\nBecause of the short time available to perform our work (results\nwere due to PCIE on September 22), our review was limited              In its response, NOAA stated that it had completed C&A activities\nin scope, relying primarily on a comprehensive examination of          for POES and SARSAT nearly 14 months ago, had made immedi\nsecurity control test results provided by the operating units. Our     ate changes to its C&A process after our December 2005 exit con\nFISMA work plan for FY 2007 includes actual testing of applicable      ference, and has implemented most of the changes recommended\nsecurity controls.                                                     in our report. However, as we noted in our report, we prepared\n                                                                       the report because some of the problems we identified in our FY\nWe found that in most cases bureaus could not demonstrate that the     2005 and previous reviews were still evident in the additional five\nnecessary steps have been taken to ensure that personally identifi     NOAA C&A packages we reviewed early in FY 2006. We hope\nable information is adequately safeguarded. None of the system         that documenting our concerns in this report and making formal\ndocumentation reviewed indicated that personally identifiable          recommendations for improvement will facilitate complete cor\ninformation was stored or processed, a step needed to determine        rection of these issues, many of which have persisted for some\nthe required safeguards. The Department\xe2\x80\x99s IT security policy           time. (See page 33.)\ndoes not explicitly address the protection needs associated with\npersonally identifiable information that is accessed remotely or       NOAA E-Authentication\nphysically removed. The Department\xe2\x80\x99s OCIO has indicated that\na revised policy addressing personally identifiable information        E-authentication is the process of electronically verifying the\nrequirements will be available during FY 2007. Most of the sys         identities of users accessing government services over the Internet\ntems we reviewed showed no evidence that required protections          and is crucial to the Department\xe2\x80\x99s ability to properly authorize\nfor personally identifiable information transported and stored         access to data and hold users accountable for their actions. We\noffsite, such as encryption, are implemented. There also was no        evaluated the quality of NOAA\xe2\x80\x99s e-authentication risk assessment\nevidence that protections are in place for remote access of person     and controls for SARSAT\xe2\x80\x94the U.S. portion of an international\nally identifiable information, such as virtual private networks or     program that uses satellites to coordinate search and rescue activi\ncontrols on downloading and storage of such data.                      ties. These controls, implemented for two SARSAT web-based\n                                                                       applications, provide a first line of defense for beacon registration\nTo address the loss of sensitive personal information from laptop      data that is protected under the Privacy Act. According to NOAA\xe2\x80\x99s\ncomputers and related equipment at the Census Bureau, the Secre        e-authentication risk assessment, one consequence of unauthor\ntary of Commerce asked OIG to determine the extent of problems         ized use of the SARSAT beacon registration system is that search\nin protecting sensitive personal information at Census, including      and rescue personnel could waste valuable time using incorrect\nwhether property management policies and practices are adequate        or misleading data.\nin light of the bureau\xe2\x80\x99s unique workforce and mission. We plan to\nreport on the results of our evaluation in the next semiannual.        The objectives of our review were to determine if the risk assess\n                                                                       ment adequately identified the requirements for e-authentication\nNOAA C&A                                                               controls and whether the controls had been implemented and prop\n                                                                       erly certified prior to the system\xe2\x80\x99s accreditation. Our evaluation\nIn this semiannual period, we reported on findings from our FY         found that SARSAT\xe2\x80\x99s e-authentication controls do not provide ad\n2005 review of three NOAA C&A packages: the Search and Rescue          equate assurance of users\xe2\x80\x99identities and recommended that NOAA\nSatellite-Aided Tracking system (SARSAT), the Polar Operational        redo the e-authentication risk assessment to better characterize\nEnvironmental Satellite Ground System (POES), and the Office           and assess authentication risk, improve the system security plan\nof Response and Restoration Seattle Local Area Network (Seattle        to identify e-authentication requirements and appropriate controls,\nLAN). Each of these systems was certified by NOAA personnel            test controls, and take actions to correct deficiencies.\nand accredited by a senior NOAA official as part of NOAA\xe2\x80\x99s C&A\nimprovement effort.                                                    NOAA disagreed with our conclusion that SARSAT\xe2\x80\x99s e-authentica\n                                                                       tion controls do not provide adequate assurance of users\xe2\x80\x99identities,\nOur report focused on two problem areas: incomplete system             but agreed with all but one of our recommendations. After we\ndescriptions and inadequate security control assessments. In           clarified the meaning of that recommendation\xe2\x80\x94to document any\nsufficiently complete system descriptions can yield inadequate         deficiencies identified as a result of performing e-authentication\nidentification and examination of system components in security        control testing\xe2\x80\x94NOAA agreed with it as well. (See page 31.)\n\n\n\n\nSeptember 2006/Semiannual Report to Congress                                                                                             3\n\x0cMajor Challenges for the Department\n\n\n\n\nIT Security Clauses in Contracts                                         For example, the Census Bureau\xe2\x80\x99s contracting for products and\n                                                                         services to support 2010 decennial operations continues to bear\nWe conducted an evaluation to determine whether NOAA is in               watching. The bureau estimates that 17 percent ($1.9 billion) of its\ncorporating the two information security clauses prescribed by the       2010 budget will be spent on contracts for information technology\nDepartment into contracts and to evaluate implementation of the          systems, advertising, and leases for local office space. One key\nclause requirements. Clause 73 requires contractors to comply with       IT program\xe2\x80\x94Field Data Collection Automation (FDCA)\xe2\x80\x94will\nthe Department\xe2\x80\x99s IT security policy and have their IT resources          develop the handheld mobile computers that field staff will use\ncertified and accredited if they connect to a Commerce network           to collect 2010 decennial information. This is a critical piece of\nor process or store government information. Clause 74 requires           the bureau\xe2\x80\x99s reengineered strategy. Census originally planned to\ncontractor personnel to undergo appropriate background screening         develop this equipment in-house but determined in early 2004\nand IT security awareness training.                                      that it lacked the management and technical resources to do so,\n                                                                         and on March 31, 2006, awarded a system development contract.\nWe reviewed a judgmental sample of 16 NOAA service contracts             However, the late decision to use a contractor and the initial slow\nand interviewed managers and staff from NOAA\xe2\x80\x99s Office of                 pace in planning the acquisition shortened the amount of time\nAcquisition and Grants, Office of the Chief Information Officer,         available for awarding the contract and developing FDCA. This\nand line offices. Because some problematic aspects of Clause 73          will delay address canvassing, the first major field operation of\ncontributed to issues we identified at NOAA and in a previous re         the dress rehearsal for the 2010 census.\nview at USPTO, we also made recommendations to Departmental\nofficials. Our report highlighted the need to clarify the require\nment to include Clause 73 in all contracts in which contractor IT\nresources are either connected to a government trusted network or        Challenge 3\nare allowed privileged access to government information. For the\nDepartment, the evaluation identified needed improvements to the         Strengthen Internal Controls\nIT security clause and the Commerce Acquisition Manual as well           Over Financial, Programmatic,\nas the need for developing additional guidance to aid contracting\nofficers and contracting officer representatives in their oversight of   and Business Processes\ncontractor information security. For NOAA we identified improve\nments needed for ensuring the certification and accreditation, as        Internal controls are the steps agencies take to make sure their\nappropriate, of contractor IT resources.                                 operations are effective, efficient, and in compliance with laws\n                                                                         and regulations. Internal controls also ensure that financial re\nBoth the Department and NOAA agreed with our recommenda                  porting is reliable, and assets are safeguarded from waste, loss,\ntions. On September 27, 2006, in response to our recommenda              or misappropriation, according to the Office of Management and\ntions, the Department\xe2\x80\x99s director of acquisition management and           Budget (OMB). Two documents, the Federal Managers\xe2\x80\x99 Financial\nprocurement executive issued a procurement memorandum and                Integrity Act (FMFIA) and the 2004 revision of OMB Circular\nCommerce Acquisition Manual notice with revisions to the clause          A-123 (Management\xe2\x80\x99s Responsibility for Internal Control), set out\nand changes to the approach to determine the level of contract risk      internal control requirements for the federal government: Com\nso that personnel receive background investigations commensurate         merce and all federal agencies must define and document major\nwith the risk level. (See page 35.)                                      financial internal control processes and test key financial controls\n                                                                         to determine whether they are effective as of June 30, 2006.\n\n                                                                         Although we noted recent improvement in the Department\xe2\x80\x99s\n                                                                         management and financial accountability as well as in program\nChallenge 2                                                              and operational effectiveness, our audits continually indicate more\n                                                                         work is needed to strengthen internal controls over programs,\nEffectively Manage                                                       operations, and administrative areas.\nDepartmental and Bureau\nAcquisition Processes                                                    We expect the new federal emphasis on strong internal controls to\n                                                                         create a number of new demands for OIG reviews in the coming\nCommerce spends nearly $2 billion annually on goods and ser              years. For example, the Digital Television Transition and Public\nvices\xe2\x80\x94roughly a third of its annual appropriation\xe2\x80\x94and each year          Safety Act of 2005 puts NTIA, one of the Department\xe2\x80\x99s smaller\nrelies more on contractors to support its mission-critical work.         agencies, in a position of having to manage an enormous national\nAdequate oversight of acquisition planning and execution is es           project with an even larger budget than had been anticipated. Suc\nsential to ensuring that taxpayers dollars are spent effectively and     cessfully implementing this act will constitute a significant manage\nefficiently and procurement laws and regulations are followed.           ment challenge for the Department. We will share lessons learned\n\n\n\n\n4                                                                                   U.S. Department of Commerce/Office of Inspector General\n\x0c                                                                                                      Major Challenges for the Department\n\n\n\n\nfrom our work in other areas to help the agency design strong,        Challenge 5\nwell-structured programs and minimize opportunities for fraud.\n                                                                      Control the Cost and Improve\n                                                                      the Accuracy of the Decennial\nChallenge 4                                                           Census\n                                                                      Even after adjusting for inflation, the 2010 census will be the\nEnsure that USPTO Uses Its                                            country\xe2\x80\x99s most expensive decennial ever\xe2\x80\x94estimated to cost\nAuthorities and Flexibilities                                         $11.3 billion. The Census Bureau\xe2\x80\x99s redesigned decennial plan,\nas a Performance-Based                                                established after the 2000 Census, is heavily dependent on auto\nOrganization to Achieve                                               mating critical field operations to accurately count the nation\xe2\x80\x99s\n                                                                      population within budget. The bureau has established a rigorous\nBetter Results                                                        testing schedule to monitor development and implementation of\n                                                                      the strategy, identify problems, and incorporate solutions in time\nSince March 2000 when the Patent and Trademark Office Efficiency\n                                                                      for the decennial.\nAct transformed USPTO into a performance-based organization de\nsigned to operate more like a private corporation than a government\n                                                                      During the last 6 months, we built on the work we did in 2005 and\nagency, OIG has paid close attention to a number of aspects of the\n                                                                      early 2006, which reviewed the 2006 test\xe2\x80\x99s address canvassing\norganization\xe2\x80\x99s internal management structures and practices.\n                                                                      operation. This semiannual report details our review of Census\xe2\x80\x99s\n                                                                      test to enumerate the group quarters population (see page 19).\nUSPTO faces numerous challenges, such as a continuing increase in\napplications, training about 1,000 newly hired examiners in Patents\n                                                                      Although most U.S. residents live in residential housing units such\nand Trademarks, and transitioning to an electronic processing envi\n                                                                      as single-family houses, apartments, and mobile homes, more than\nronment. In addition, USPTO\xe2\x80\x99s expanded authority over personnel\n                                                                      7 million people live in situations such as college dormitories,\ndecisions and processes, procurement, and information technology\n                                                                      nursing homes, prisons, and group homes, collectively known as\noperations needs to be effectively and efficiently utilized.\n                                                                      group quarters. We reviewed the group quarters testing operation\n                                                                      at the Census Bureau\xe2\x80\x99s test site in Travis County, Texas. The area\nOIG has issued nearly a dozen reports examining problems at\n                                                                      is ideal for testing the group quarters operation because it is home\nUSPTO since 2001. The bureau has generally taken decisive ac\n                                                                      to four universities and colleges, a state prison, and numerous other\ntion to address some problems we identified in the past, and we\n                                                                      group living facilities.\nhave been pleased that USPTO has been receptive to our recom\nmendations. But ultimately, we believe that many of the problems\nUSPTO suffers are serious and require the sustained commitment        New Methods, New Challenges\nof senior managers to resolve. OIG will continue to monitor the\nbureau\xe2\x80\x99s progress.                                                    Our review found that although the bureau is working on new meth\n                                                                      ods to better enumerate the group quarters population, it continues\n                                                                      to face a number of challenges. For example, nontraditional student\n                                                                      housing, such as private dorms and student cooperative housing, did\n                                                                      not easily fit into any of Census\xe2\x80\x99s group quarters definitions. Some\n                                                                      times these units were defined as private residences and received\n                                                                      housing unit questionnaires. In those cases, there was an increased\n                                                                      likelihood that the unresponsive students had already moved out of\n                                                                      their residence before the follow-up operation. When this occurred,\n                                                                      enumerators relied on records kept in administrative offices, which\n                                                                      often lacked Hispanic origin and race information. We also found\n                                                                      that 42 percent of the validation workload was associated with large\n                                                                      apartment complexes erroneously identified as potential group quar\n                                                                      ters during address canvassing. This caused problems in the group\n                                                                      quarters validation and the nonresponse follow-up operations.\n\n                                                                      One of the objectives of our review was to independently assess\n                                                                      the completeness of the group quarters listing prepared for the\nA USPTO trademark information specialist assists customers.           Census 2006 test. The bureau used four sources to develop a list\n                                                                      of all potential group quarters for the 2006 test, which was then\nSource:\xe2\x80\x82uSpto\n\n\n\n\nMarch 2006/Semiannual Report to Congress                                                                                                5\n\x0cMajor Challenges for the Department\n\n\n\n\n                                              Group Quarters Activities in the 2006 Census Test\n                                                                                                 Group Quarters\n                              Group Quarters                                                                                       Group Quarters\n    Operation                                                 Address Canvassing                Validation/Advance\n                             List Development                                                                                       Enumeration\n                                                                                                        Visit\n                        June\xe2\x80\x82\x18004\xe2\x80\x94with updates                     July\xe2\x80\x82\x18005\xe2\x80\x94                    December\xe2\x80\x82\x18005\xe2\x80\x94                     april\xe2\x80\x82\x18006\xe2\x80\x94\n       Dates\n                      throughout\xe2\x80\x82\x18006 Census test                September\xe2\x80\x82\x18005                    January\xe2\x80\x82\x18006                      May\xe2\x80\x82\x18006\n    Description       List created using                    Identified potential              Listers visited\xe2\x80\x82\x18,778         Enumeration of all\n                      \xe2\x80\xa2 \x18000 group quarters                 \xe2\x80\x9cother Living Quarters\xe2\x80\x9d           oLQs in austin and 84         identified group quarters\n                      \xe2\x80\xa2 administrative records              (oLQs)                            oLQs on the Cheyenne          facilities\n                      \xe2\x80\xa2 address canvassing (other                                             River Reservation to\n                         Living Quarters)                   Ensured addresses were            designate address status\n                      \xe2\x80\xa2 other Census survey work            correct and/or made               as a\n                                                            changes to update the             \xe2\x80\xa2    GQ\n                                                            Master address File               \xe2\x80\xa2    Housing\xe2\x80\x82unit\n                                                                                              \xe2\x80\xa2    nonresidential\n                                                                                              \xe2\x80\xa2    Vacant\n                                                                                              \xe2\x80\xa2    transient\n                                                                                              \xe2\x80\xa2    Duplicate\n                                                                                              \xe2\x80\xa2    other\n                                                                                              Group quarters\n                                                                                              administrators contacted\n                                                                                              regarding upcoming\n                                                                                              group quarters\n                                                                                              enumeration; privacy\n                                                                                              and confidentiality were\n                                                                                              discussed\n\nSource:\xe2\x80\x82u.S. Census Bureau, 2006 Census Test Project Management Plan, \x180\x180 Census Memoranda Series\xe2\x80\x82no. 8 (Reissue) December\xe2\x80\x82\x18005\n\n\n\nrefined by the group quarters validation operation, resulting in a\nfinal list of group quarters to be enumerated. We found a number\nof group quarters that were not on the final enumeration list by\nconducting a limited Internet search and speaking with admin\nistrators. We also found duplicates\xe2\x80\x94addresses that appeared on\nboth the enumeration and housing unit lists or group quarters that\nappeared twice on the enumeration list. These errors can result in\nan inaccurate count of the population because individuals living\nin group quarters enumerated via the household questionnaire\nmay be missed and duplicates on the list can result in people be\ning counted twice.\n\nWe also found that Census should take additional steps to count\nthe student population, such as working closely with fraternity\nand sorority campus oversight organizations and exploring the\nuse of the Internet as a response option for this computer-oriented\ngeneration. Finally, we noted that some additional group quarters\nprocesses and procedures warrant management attention.\n\nLooking Ahead\n\nWe continue to look at the update/enumerate operation at the                    More than a dozen group quarters\xe2\x80\x94and possibly many more\xe2\x80\x94were not\nCheyenne River Reservation and Off-Reservation Trust Land in                    on the Census Bureau\xe2\x80\x99s enumeration list. This home is one of 15 missing\nSouth Dakota. During this operation, which is used in communities               from the list that we found by conducting a limited Internet search.\nwhere residents are less likely to return a completed questionnaire,            Source:\xe2\x80\x82oIG\n\n\n\n\n6                                                                                             U.S. Department of Commerce/Office of Inspector General\n\x0c                                                                                                             Major Challenges for the Department\n\n\n\n\nenumerators update the address lists and maps and interview a\nresident to complete a questionnaire for each housing unit. We\nare assessing whether the update/enumerate operation obtained\ncomplete and accurate enumerations, especially with respect to\nlarge households, and if it resulted in improved address lists and\nmaps. We are also assessing the bureau\xe2\x80\x99s method for designating\nwhich communities require this type of enumeration.\n\n\n\n\nChallenge 6\n\nEffectively Manage the\nDevelopment and Acquisition\nof Environmental Satellites                                            Source: http://goes.gsfc.nasa.gov/images/GoES-R_Color_Lg.jpg\n\n\nOver the next 5 years, the Department, through NOAA, will spend        Commerce IG Johnnie E. Frazier reported our findings to the\nseveral billion dollars in contracts for the purchase, construction,   House Science Committee in May (see page 50), as the recertifi\nand modernization of environmental satellites.5 These systems,         cation process was in progress. In June, the Committee accepted\noperated by NOAA\xe2\x80\x99s National Environmental Satellite, Data and          a triagency proposal to continue the program with the following\nInformation Service (NESDIS), collect data to provide short- and       changes:6\nlong-range weather forecasts and a variety of other critical envi\n                                                                       \xe2\x80\xa2\t Total acquisition costs were revised to $11.5 billion to support\nronmental and climate information.\n                                                                          NPOESS satellite coverage through 2026.\nComplex, high-cost acquisitions such as these are extremely dif        \xe2\x80\xa2\t The number of satellites was reduced from six to four, with the\nficult to manage within cost and schedule goals, as was revealed          U.S. relying on European satellites to fill in any gaps resulting\nin our audit during this reporting period of the National Polar-          from the reduction.\norbiting Operational Environmental Satellite System (NPOESS)\n                                                                       \xe2\x80\xa2\t The first satellite will launch in 2013 rather than 2010, as\n(see page 29). This system\xe2\x80\x94a joint project of NOAA, NASA, and\n                                                                          proposed in the original program.\nDefense\xe2\x80\x94is critical to the nation\xe2\x80\x99s ability to provide continuous\nweather and environmental data for civilian and military needs         \xe2\x80\xa2\t The number of sensors will drop from seven to five.\nthrough the coming 2 decades. Initially projected to cost $6.5 bil\n                                                                       \xe2\x80\xa2\t Management reforms, including our recommendations for\nlion, the program recently underwent a mandatory congressional\n                                                                          improving EXCOM oversight and revising the award fee\nreview to see if it should be continued, given its troubling history\n                                                                          contract, will be implemented.\nof huge cost increases and schedule delays.\n                                                                       This program will continue to bear close watching as it restructures\nCongress Approves a Scaled-Back                                        and attempts to stay within its new cost and schedule goals, and\nNPOESS Program                                                         we intend to follow its progress and keep Congress apprised of\n                                                                       our findings.\nLast November, the Department of Defense reported that NPOESS\ncosts had grown by 25 percent over original estimates\xe2\x80\x94trig\n                                                                       GOES-R Costs, Schedule, and Capabilities\ngering the Nunn-McCurdy recertification provision of the FY\n                                                                       Are Being Redefined\n1982 National Defense Authorization Act. In addition to these\nstaggering cost increases, the program was running 17 months\n                                                                       The GOES-R series is the next generation of geostationary satel\nbehind schedule yet the contractor had received $123 million in\n                                                                       lites that will replace existing GOES satellites in the next decade.\nincentive payments.\n                                                                       The new series will have enhanced sensing capabilities that are\n                                                                       expected to offer an uninterrupted flow of high-quality data to\nWe sought to determine how cost and schedule overruns had grown\n                                                                       support weather forecasting, severe storm detection, and climate\nso dramatically while the contractor had been so well rewarded.\n                                                                       research vital to public safety. GOES-R is a multicontract, mul\nWe identified serious shortcomings in the contract\xe2\x80\x99s incentive\nstructure as well as in program oversight from NPOESS\xe2\x80\x99 execu\ntive committee, which consists of top leadership from NOAA,            5\n                                                                           http://www.osec.doc.gov/bmi/Budget/05APPR/PAR05.pdf, page 210\nNASA, and Defense.                                                     6\n                                                                           http://www.house.gov/science/hearings/full06/June%208/charter.pdf\n\n\n\n\nSeptember 2006/Semiannual Report to Congress                                                                                                   7\n\x0cMajor Challenges for the Department\n\n\n\n\ntiyear program wholly funded by Commerce, though the new                will use to leverage NASA\xe2\x80\x99s oversight expertise. We will also\nsatellites will be developed and acquired with help from NASA.          consider whether program staff report significant issues to senior\nThe Department\xe2\x80\x99s investment for GOES-R for fiscal years 2006            Department and NOAA oversight officials in a timely fashion and\nto 2010 is projected at about $2 billion.                               whether those officials take appropriate action.\n\nPlanning for the new series, which has been under way for the           Our acquisition focus will be on the program office\xe2\x80\x99s overall ap\npast 5 years, has given long and careful focus to the many risks        proach to procuring key satellite instruments, identifying potential\ninherent in developing satellite programs. Even so, the NPOESS          risks, and implementing associated mitigation strategies. We will\nexperience has put new pressure on agency senior officials and          also assess the acquisition contracts\xe2\x80\x99 award fee plans to determine\nprogram planners to have strong mechanisms in place for tracking        whether they are structured to promote excellent performance.\nevery phase of the program and promptly mitigating problems\nthat arise.                                                             NASA OIG plans to determine whether NASA program manage\n                                                                        ment councils effectively identify and review program issues and\nDuring this semiannual period, we initiated a joint review of the       progress, and whether procedures and processes are in place to\nGOES-R program with NASA\xe2\x80\x99s Office of Inspector General. Our             recognize, mitigate, and report technical risks in accordance with\nshared objective is to determine whether the Department and             NASA policy.\nNASA have created a management structure to ensure effective\noversight of the many risks associated with the GOES-R program.\nIn preparing for the review, we learned that the Department,\nNOAA, and NASA are restructuring major aspects of the program           Challenge 7\nas part of detailed risk reduction activities. GOES-R leadership is\nreassessing planned satellite capabilities and the timing of launches   Promote Fair Competition in\nin response to input on costs and technological risks provided by       International Trade\nan independent review team and contractors involved in defining\nthe program\xe2\x80\x99s major aspects. In addition, program officials are         The Department of Commerce accomplishes its goals of promoting\nconsidering changing approaches to managing the program and             trade, opening overseas markets to American firms, and protecting\nacquiring the satellites.                                               U.S. industry from unfair competition by imports primarily through\n                                                                        the work of the International Trade Administration (ITA). ITA\nAt Commerce, the oversight component of our work will look at the       also works with USPTO and NIST to assist U.S. companies with\nDepartment and NOAA\xe2\x80\x99s efforts to establish effective monitoring         intellectual property rights and standards. Over the past several\norganizations, policies, and procedures and the mechanisms NOAA         years, OIG has focused a number of reviews on the Department\xe2\x80\x99s\n\n\n\n\nSource: u.S. Census Bureau\n\n\n\n\n8                                                                                  U.S. Department of Commerce/Office of Inspector General\n\x0c                                                                                                      Major Challenges for the Department\n\n\n\n\nefforts to increase U.S. market opportunities, provide assistance\nto U.S. exporters, and overcome trade barriers in difficult foreign\nmarkets.\n\nIn September 2006, in response to OIG recommendations made to\nITA in several recent reports, the bureau\xe2\x80\x99s Commercial Service (CS)\nannounced extensive changes in its procedures for verifying export\nsuccess claims, its primary performance measure. CS stated that the\nnew procedures were necessary because, in a significant number of\ncases, OIG had found discrepancies in the reported export successes.\nThese discrepancies raised doubts about the integrity of the data\nCS reports to Congress and the administration on its accomplish-\nments. The new CS procedures require improved documentation,\nsupervisory confirmation of a sample of export success reports, and\nverification that CS provided value-added assistance.\n\nIn response to a request from the House Small Business Com-\nmittee, we are reviewing coordination and information sharing\nbetween Commerce and other U.S. government agencies with\nresponsibility for trade promotion. The review, which we will\ndiscuss in our next semiannual report, will assess Commerce\xe2\x80\x99s\nefforts to match export opportunities with export-ready companies,\nwith a focus on trade promotion agencies\xe2\x80\x99 use of the Internet to\ncommunicate leads and other relevant trade information.\n\nU.S. Trade Promotion in South America\n\nDuring this semiannual period, we conducted on-site inspections\nof CS posts in Brazil, Argentina, and Uruguay. Significant export      Source: OIG\nopportunities are opening in these countries as Brazil\xe2\x80\x99s large\neconomy continues its steady growth, Argentina recovers from\nits 2001-2002 economic crisis, and Uruguay pursues closer trade        Challenge 8\nrelations with the United States. Our inspections focused on the\nmanagement, program operations, and financial and administra-          Effectively Manage NOAA\xe2\x80\x99S\ntive practices of these three South American posts. We issued our      Stewardship of Ocean and\nreport on CS\xe2\x80\x99 operations in Argentina and Uruguay in September         Living Marine Resources\nwith 20 recommendations, and we will publish our report on CS\xe2\x80\x99\nlarger post in Brazil before the end of the calendar year.             The National Oceanic and Atmospheric Administration is charged\n                                                                       with monitoring the health of our nation\xe2\x80\x99s ocean, coastal, and\nOur review of CS Argentina and CS Uruguay found that the posts         Great Lakes resources; administering civilian ocean programs;\nare providing useful export assistance to U.S. companies and have      and protecting and preserving the nation\xe2\x80\x99s living marine resources\nestablished collaborative relationships with key U.S. government       through scientific research, fisheries management, enforcement,\noffices and nongovernmental organizations both in those countries      and habitat conservation.\nand in the United States. Our review found effective administrative\nmanagement practices at both posts, but we also identified some        During the past year, we followed up on our audit of the National\nfinancial management and accounting concerns that warrant the          Marine Fisheries Service\xe2\x80\x99s (NMFS\xe2\x80\x99) preparation of a biological\nattention of Commerce managers (see page 25).                          opinion for California\xe2\x80\x99s Central Valley Project, one of the nation\xe2\x80\x99s\n                                                                       major water conservation efforts. In response to our audit recom-\n                                                                       mendations, NOAA received three reviews of the opinion. One\n                                                                       review concluded that NMFS used the best scientific information\n                                                                       for the biological opinion, but two reviews concluded that NMFS\n                                                                       did not. In light of these findings, we asked NOAA officials to\n\n\n\n\nSeptember 2006/Semiannual Report to Congress                                                                                          11\n\x0csubmit to us a plan that identifies actions they will take to address\nthe deficiencies and implement the related recommendations made\nby the independent review organizations.\n\nNOAA\xe2\x80\x99s future challenges include its efforts as a steward of marine\nresources, the agency\xe2\x80\x99s consultation process, and its management\nof fisheries and marine mammals.\n\n\n\nChallenge 9\n\nAggressively Monitor\nEmergency Preparedness,\nSafety, and Security\nResponsibilities\n                                                                        These nuclear reactors are among 16 in operation throughout India, and the\nThe Department of Commerce has a dual responsibility in the             country has plans to build 6 more over the next 2 years. Under the terms\narea of emergency preparedness, safety, and security; not only          of a July 2006 agreement, the United States will give India greater access\nmust it be ready to protect 35,000+ employees and hundreds of           to dual-use technology to expand its civilian nuclear program and meet its\n                                                                        burgeoning energy needs.\nfacilities, but because several Commerce programs are critical to\nnational preparedness and recovery efforts, it must support U.S.        Source: http://as.wn.com/i/d5/8c9\x18997c\x18\x18de00.jpg and\n                                                                        http://www.icjt.org/npp/podrobnosti.php?drzava=\x18\x18&lokacija=7\x188\nefforts to prepare for, respond to, and promote recovery from\nmajor disasters.\n                                                                        Challenge 10\nWe continue to monitor Commerce\xe2\x80\x99s progress in resolving de\npartmental emergency preparedness and security weaknesses we\nidentified in assessments conducted in 2002 and 2005. Although\n                                                                        Enhance Export Controls for\nCommerce has made significant improvement in emergency                  Dual-Use Commodities\npreparedness to address some of the vulnerabilities, we found,\namong other things, the need for better departmental guidance           The Department\xe2\x80\x99s Bureau of Industry and Security (BIS) oversees\nand oversight of emergency programs, risk assessments, occupant         the federal government\xe2\x80\x99s export licensing system for dual-use\nemergency plans, and security forces at its domestic operations, as     commodities and technology and is charged with advancing U.S.\nwell as better oversight of security upgrades and greater attention     national economic security interests by administering and enforc\nto security at its overseas offices.                                    ing export controls. The primary goal of the licensing and enforce\n                                                                        ment system is to prevent hostile nations and terrorist groups from\nMore recently, in our review of the Commerce workers\xe2\x80\x99compensa           acquiring sensitive technologies and materials that have both\ntion program, we recommended that the Department consolidate            civilian and military applications by controlling their export.\nand analyze bureau safety data to help officials and managers\nidentify and correct problems. We also recommended the Depart           The National Defense Authorization Act (NDAA) for Fiscal\nment use this data to find ways to help prevent workplace injuries      Year 2000, as amended, directed the inspectors general of the\nand lower the number of employees who file claims for workers\xe2\x80\x99          departments of Commerce, Defense, Energy, and State, in con\ncompensation benefits.                                                  sultation with the directors of Central Intelligence7 and the FBI,\n                                                                        to report to Congress by March 30, 2000, and annually until the\nFinally, we are working with other PCIE members to publish              year 2007, on the adequacy of export controls and counterintel\na guide for evaluating emergency preparedness programs. The             ligence measures to prevent the acquisition of sensitive U.S.\nguide should be a useful tool for conducting future OIG or man          technology and technical information by countries and entities\nagement reviews of emergency preparedness in Commerce and               of concern. (The Office of Inspector General at the Department\nother federal agencies.                                                 of Homeland Security also has participated since its establish\n                                                                        ment in 2003.) In addition, the NDAA for FY 2001 requires\n\n                                                                        7\n                                                                          The Intelligence Reform and Terror Prevention Act of 2004 [Public Law 108\n                                                                        458], dated December 17, 2004, established the Director of National Intelligence\n                                                                        to serve as the head of the U.S. intelligence community.\n\n\n\n\n10                                                                                   U.S. Department of Commerce/Office of Inspector General\n\x0c                                                          the IGs to discuss in their annual interagency report the status\n                                                          or disposition of recommendations made in prior-year reports\n       Some Export Control Topics Covered\n                                                          submitted under the act.\n          by Interagency OIG Reviews\n                                                          We have initiated our eighth and final NDAA required review,\n   Federal automated export licensing systems             this time looking at the effectiveness of U.S. controls on dual-use\n   Commerce Control List and\xe2\x80\x82u.S. Munitions List          exports to India. India presents unique challenges to U.S. com\n                                                          mercial interests and export control policy. As one of the fastest\n   Deemed exports                                         growing economies in the world, India offers expanding trade\n                                                          opportunities for U.S. exporters but also increased competition\n   Export enforcement                                     for U.S. industry and labor.\n   Export licensing process for chemical and biological   We will detail the findings of our India evaluation in our March\n   agents                                                 2007 semiannual report. And though this will conclude our statu\n   u.S. dual-use export controls for China                tory reporting requirements under NDAA, we will continue to\n                                                          monitor BIS\xe2\x80\x99 efforts to implement and enforce dual-use export\n   u.S. dual-use export controls for India (Commerce      controls, given the importance of this mission to the nation\xe2\x80\x99s\n   only)                                                  security. We will also follow up on our previous NDAA recom\n                                                          mendations and report on BIS\xe2\x80\x99 progress in implementing them in\n                                                          our next semiannual report.\n\n\n\n\nSeptember 2006/Semiannual Report to Congress                                                                           \x181\n\x0c'